Thanks so much for the commentary on this! We found it! It looked a lot like changing shared secrets, but we found that there was some kind of timer on the NAS that would change the decryption every X min to prevent brute force, making the browser or intermediary breaking the decrypt/encrypt sync if you dont log in fast enough, it was very low. (1 min), after a fail, it would then refresh it, and it would accept. We moved that time up to 100 min and you are right, Free radius does it right, every time! For the WWW, 'failed authentication block' is what it was called, and set it to something above 10 min so users can get logged in before their decryption changes. the documentation we had did not say that was the way it handled brute force prevention, and im not sure it is even a good way of doing brute force prevention as it is still sending the junked password up to radius. We did some pcap'ing yesterday, and also looked at what the NAS was sending up and out the bad info vs blocking it as to what that setting leads us to beleive, and saw the scramble was originating locally. THANK YOU! On Fri, Nov 9, 2018 at 10:05 AM Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On Nov 9, 2018, at 12:58 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On Nov 7, 2018, at 4:47 PM, Sam T <givemesam@gmail.com> wrote:
Hi!
We are getting close to a workable solution with freeradius!
When running freeradius in debug mode we can see that sometimes it comes in correctly, and other times in some kind of junky value.
The shared secret is wrong. If your NAS supports Message-Authenticator, enable it and FreeRADIUS will tell you that the shared secret is wrong.
The other things it could be are an intermediary proxy, not decrypting/re-encrypting the password value correctly.
Bytes being overwritten in the message authenticator. Bytes being overwritten in the User-Password attributes.
Packets coming from different source IPs (with different shared secrets).
Uninitialised memory in the RADIUS client screwing up the encryption, etc..
Use radsniff with captured packets and pass -s to verify it's not a client lookup issue.
Send packets directly if you're using a proxy.
Verify PCAPs on the NAS and RADIUS server have the same content.
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html